Merge pull request #17549 from yihuazhang/SPIFFE-API-CHANGE

Add a new TLS credential surface API

BUILD

@@ -1614,6 +1614,7 @@ grpc_cc_library(
         "src/core/lib/security/credentials/oauth2/oauth2_credentials.cc",
         "src/core/lib/security/credentials/plugin/plugin_credentials.cc",
         "src/core/lib/security/credentials/ssl/ssl_credentials.cc",
+        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc",
         "src/core/lib/security/security_connector/alts/alts_security_connector.cc",
         "src/core/lib/security/security_connector/fake/fake_security_connector.cc",
         "src/core/lib/security/security_connector/load_system_roots_fallback.cc",
@@ -1648,6 +1649,7 @@ grpc_cc_library(
         "src/core/lib/security/credentials/oauth2/oauth2_credentials.h",
         "src/core/lib/security/credentials/plugin/plugin_credentials.h",
         "src/core/lib/security/credentials/ssl/ssl_credentials.h",
+        "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h",
         "src/core/lib/security/security_connector/alts/alts_security_connector.h",
         "src/core/lib/security/security_connector/fake/fake_security_connector.h",
         "src/core/lib/security/security_connector/load_system_roots.h",

CMakeLists.txt

@@ -1151,6 +1151,7 @@ add_library(grpc
   src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
   src/core/lib/security/credentials/plugin/plugin_credentials.cc
   src/core/lib/security/credentials/ssl/ssl_credentials.cc
+  src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
   src/core/lib/security/security_connector/alts/alts_security_connector.cc
   src/core/lib/security/security_connector/fake/fake_security_connector.cc
   src/core/lib/security/security_connector/load_system_roots_fallback.cc
@@ -1609,6 +1610,7 @@ add_library(grpc_cronet
   src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
   src/core/lib/security/credentials/plugin/plugin_credentials.cc
   src/core/lib/security/credentials/ssl/ssl_credentials.cc
+  src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
   src/core/lib/security/security_connector/alts/alts_security_connector.cc
   src/core/lib/security/security_connector/fake/fake_security_connector.cc
   src/core/lib/security/security_connector/load_system_roots_fallback.cc

Makefile

@@ -3672,6 +3672,7 @@ LIBGRPC_SRC = \
     src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
     src/core/lib/security/credentials/plugin/plugin_credentials.cc \
     src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+    src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
     src/core/lib/security/security_connector/alts/alts_security_connector.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -4124,6 +4125,7 @@ LIBGRPC_CRONET_SRC = \
     src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
     src/core/lib/security/credentials/plugin/plugin_credentials.cc \
     src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+    src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
     src/core/lib/security/security_connector/alts/alts_security_connector.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -25370,6 +25372,7 @@ src/core/lib/security/credentials/local/local_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/oauth2/oauth2_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/plugin/plugin_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/ssl/ssl_credentials.cc: $(OPENSSL_DEP)
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/fake/fake_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/load_system_roots_fallback.cc: $(OPENSSL_DEP)

build.yaml

@@ -837,6 +837,7 @@ filegroups:
   - src/core/lib/security/credentials/oauth2/oauth2_credentials.h
   - src/core/lib/security/credentials/plugin/plugin_credentials.h
   - src/core/lib/security/credentials/ssl/ssl_credentials.h
+  - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
   - src/core/lib/security/security_connector/alts/alts_security_connector.h
   - src/core/lib/security/security_connector/fake/fake_security_connector.h
   - src/core/lib/security/security_connector/load_system_roots.h
@@ -869,6 +870,7 @@ filegroups:
   - src/core/lib/security/credentials/oauth2/oauth2_credentials.cc
   - src/core/lib/security/credentials/plugin/plugin_credentials.cc
   - src/core/lib/security/credentials/ssl/ssl_credentials.cc
+  - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
   - src/core/lib/security/security_connector/alts/alts_security_connector.cc
   - src/core/lib/security/security_connector/fake/fake_security_connector.cc
   - src/core/lib/security/security_connector/load_system_roots_fallback.cc

config.m4

@@ -283,6 +283,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/lib/security/credentials/oauth2/oauth2_credentials.cc \
     src/core/lib/security/credentials/plugin/plugin_credentials.cc \
     src/core/lib/security/credentials/ssl/ssl_credentials.cc \
+    src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
     src/core/lib/security/security_connector/alts/alts_security_connector.cc \
     src/core/lib/security/security_connector/fake/fake_security_connector.cc \
     src/core/lib/security/security_connector/load_system_roots_fallback.cc \
@@ -728,6 +729,7 @@ if test "$PHP_GRPC" != "no"; then
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/oauth2)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/plugin)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/ssl)
+  PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/credentials/tls)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/alts)
   PHP_ADD_BUILD_DIR($ext_builddir/src/core/lib/security/security_connector/fake)

config.w32

@@ -258,6 +258,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\lib\\security\\credentials\\oauth2\\oauth2_credentials.cc " +
     "src\\core\\lib\\security\\credentials\\plugin\\plugin_credentials.cc " +
     "src\\core\\lib\\security\\credentials\\ssl\\ssl_credentials.cc " +
+    "src\\core\\lib\\security\\credentials\\tls\\grpc_tls_credentials_options.cc " +
     "src\\core\\lib\\security\\security_connector\\alts\\alts_security_connector.cc " +
     "src\\core\\lib\\security\\security_connector\\fake\\fake_security_connector.cc " +
     "src\\core\\lib\\security\\security_connector\\load_system_roots_fallback.cc " +
@@ -743,6 +744,7 @@ if (PHP_GRPC != "no") {
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\oauth2");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\plugin");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\ssl");
+  FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\credentials\\tls");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\alts");
   FSO.CreateFolder(base_dir+"\\ext\\grpc\\src\\core\\lib\\security\\security_connector\\fake");

gRPC-C++.podspec

@@ -300,6 +300,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
                       'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                       'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                       'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.h',
                       'src/core/lib/security/security_connector/load_system_roots.h',

gRPC-Core.podspec

@@ -294,6 +294,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
                       'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                       'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                       'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.h',
                       'src/core/lib/security/security_connector/load_system_roots.h',
@@ -731,6 +732,7 @@ Pod::Spec.new do |s|
                       'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
                       'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
                       'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+                      'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
                       'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
                       'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
                       'src/core/lib/security/security_connector/load_system_roots_fallback.cc',
@@ -923,6 +925,7 @@ Pod::Spec.new do |s|
                               'src/core/lib/security/credentials/oauth2/oauth2_credentials.h',
                               'src/core/lib/security/credentials/plugin/plugin_credentials.h',
                               'src/core/lib/security/credentials/ssl/ssl_credentials.h',
+                              'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h',
                               'src/core/lib/security/security_connector/alts/alts_security_connector.h',
                               'src/core/lib/security/security_connector/fake/fake_security_connector.h',
                               'src/core/lib/security/security_connector/load_system_roots.h',

grpc.def

@@ -131,6 +131,15 @@ EXPORTS
     grpc_alts_server_credentials_create
     grpc_local_credentials_create
     grpc_local_server_credentials_create
+    grpc_tls_credentials_options_create
+    grpc_tls_credentials_options_set_cert_request_type
+    grpc_tls_credentials_options_set_key_materials_config
+    grpc_tls_credentials_options_set_credential_reload_config
+    grpc_tls_credentials_options_set_server_authorization_check_config
+    grpc_tls_key_materials_config_create
+    grpc_tls_key_materials_config_set_key_materials
+    grpc_tls_credential_reload_config_create
+    grpc_tls_server_authorization_check_config_create
     grpc_raw_byte_buffer_create
     grpc_raw_compressed_byte_buffer_create
     grpc_byte_buffer_copy

grpc.gemspec

@@ -224,6 +224,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.h )
   s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.h )
   s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.h )
+  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h )
   s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.h )
   s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.h )
   s.files += %w( src/core/lib/security/security_connector/load_system_roots.h )
@@ -665,6 +666,7 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/lib/security/credentials/oauth2/oauth2_credentials.cc )
   s.files += %w( src/core/lib/security/credentials/plugin/plugin_credentials.cc )
   s.files += %w( src/core/lib/security/credentials/ssl/ssl_credentials.cc )
+  s.files += %w( src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc )
   s.files += %w( src/core/lib/security/security_connector/alts/alts_security_connector.cc )
   s.files += %w( src/core/lib/security/security_connector/fake/fake_security_connector.cc )
   s.files += %w( src/core/lib/security/security_connector/load_system_roots_fallback.cc )

grpc.gyp

@@ -465,6 +465,7 @@
         'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
         'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
         'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+        'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
         'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
         'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
         'src/core/lib/security/security_connector/load_system_roots_fallback.cc',

include/grpc/grpc_security.h

@@ -609,6 +609,201 @@ GRPCAPI grpc_channel_credentials* grpc_local_credentials_create(
 GRPCAPI grpc_server_credentials* grpc_local_server_credentials_create(
     grpc_local_connect_type type);
 
+/** --- SPIFFE and HTTPS-based TLS channel/server credentials ---
+ * It is used for experimental purpose for now and subject to change. */
+
+/** Config for TLS key materials. It is used for
+ *  experimental purpose for now and subject to change. */
+typedef struct grpc_tls_key_materials_config grpc_tls_key_materials_config;
+
+/** Config for TLS credential reload. It is used for
+ *  experimental purpose for now and subject to change. */
+typedef struct grpc_tls_credential_reload_config
+    grpc_tls_credential_reload_config;
+
+/** Config for TLS server authorization check. It is used for
+ *  experimental purpose for now and subject to change. */
+typedef struct grpc_tls_server_authorization_check_config
+    grpc_tls_server_authorization_check_config;
+
+/** TLS credentials options. It is used for
+ *  experimental purpose for now and subject to change. */
+typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
+
+/** Create an empty TLS credentials options. It is used for
+ *  experimental purpose for now and subject to change. */
+GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_create();
+
+/** Set grpc_ssl_client_certificate_request_type field in credentials options
+    with the provided type. options should not be NULL.
+    It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_cert_request_type(
+    grpc_tls_credentials_options* options,
+    grpc_ssl_client_certificate_request_type type);
+
+/** Set grpc_tls_key_materials_config field in credentials options
+    with the provided config struct whose ownership is transferred.
+    Both parameters should not be NULL.
+    It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_key_materials_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_key_materials_config* config);
+
+/** Set grpc_tls_credential_reload_config field in credentials options
+    with the provided config struct whose ownership is transferred.
+    Both parameters should not be NULL.
+    It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_credential_reload_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_credential_reload_config* config);
+
+/** Set grpc_tls_server_authorization_check_config field in credentials options
+    with the provided config struct whose ownership is transferred.
+    Both parameters should not be NULL.
+    It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change. */
+GRPCAPI int grpc_tls_credentials_options_set_server_authorization_check_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_server_authorization_check_config* config);
+
+/** --- TLS key materials config. ---
+    It is used for experimental purpose for now and subject to change. */
+
+/** Create an empty grpc_tls_key_materials_config instance.
+ *  It is used for experimental purpose for now and subject to change. */
+GRPCAPI grpc_tls_key_materials_config* grpc_tls_key_materials_config_create();
+
+/** Set grpc_tls_key_materials_config instance with provided a TLS certificate.
+    config will take the ownership of pem_root_certs and pem_key_cert_pairs.
+    It's valid for the caller to provide nullptr pem_root_certs, in which case
+    the gRPC-provided root cert will be used. pem_key_cert_pairs should not be
+    NULL. It returns 1 on success and 0 on failure. It is used for
+    experimental purpose for now and subject to change.
+ */
+GRPCAPI int grpc_tls_key_materials_config_set_key_materials(
+    grpc_tls_key_materials_config* config, const char* pem_root_certs,
+    const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs,
+    size_t num_key_cert_pairs);
+
+/** --- TLS credential reload config. ---
+    It is used for experimental purpose for now and subject to change.*/
+
+typedef struct grpc_tls_credential_reload_arg grpc_tls_credential_reload_arg;
+
+/** A callback function provided by gRPC to handle the result of credential
+    reload. It is used when schedule API is implemented asynchronously and
+    serves to bring the control back to grpc C core. It is used for
+    experimental purpose for now and subject to change. */
+typedef void (*grpc_tls_on_credential_reload_done_cb)(
+    grpc_tls_credential_reload_arg* arg);
+
+/** A struct containing all information necessary to schedule/cancel
+    a credential reload request. cb and cb_user_data represent a gRPC-provided
+    callback and an argument passed to it. key_materials is an in/output
+    parameter containing currently used/newly reloaded credentials. status and
+    error_details are used to hold information about errors occurred when a
+    credential reload request is scheduled/cancelled. It is used for
+    experimental purpose for now and subject to change. */
+struct grpc_tls_credential_reload_arg {
+  grpc_tls_on_credential_reload_done_cb cb;
+  void* cb_user_data;
+  grpc_tls_key_materials_config* key_materials_config;
+  grpc_status_code status;
+  const char* error_details;
+};
+
+/** Create a grpc_tls_credential_reload_config instance.
+    - config_user_data is config-specific, read-only user data
+      that works for all channels created with a credential using the config.
+    - schedule is a pointer to an application-provided callback used to invoke
+      credential reload API. The implementation of this method has to be
+      non-blocking, but can be performed synchronously or asynchronously.
+      1) If processing occurs synchronously, it populates arg->key_materials,
+      arg->status, and arg->error_details and returns zero.
+      2) If processing occurs asynchronously, it returns a non-zero value.
+      The application then invokes arg->cb when processing is completed. Note
+      that arg->cb cannot be invoked before schedule API returns.
+    - cancel is a pointer to an application-provided callback used to cancel
+      a credential reload request scheduled via an asynchronous schedule API.
+      arg is used to pinpoint an exact reloading request to be cancelled.
+      The operation may not have any effect if the request has already been
+      processed.
+    - destruct is a pointer to an application-provided callback used to clean up
+      any data associated with the config.
+    It is used for experimental purpose for now and subject to change.
+*/
+GRPCAPI grpc_tls_credential_reload_config*
+grpc_tls_credential_reload_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_credential_reload_arg* arg),
+    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+    void (*destruct)(void* config_user_data));
+
+/** --- TLS server authorization check config. ---
+ *  It is used for experimental purpose for now and subject to change. */
+
+typedef struct grpc_tls_server_authorization_check_arg
+    grpc_tls_server_authorization_check_arg;
+
+/** callback function provided by gRPC used to handle the result of server
+    authorization check. It is used when schedule API is implemented
+    asynchronously, and serves to bring the control back to gRPC C core. It is
+    used for experimental purpose for now and subject to change. */
+typedef void (*grpc_tls_on_server_authorization_check_done_cb)(
+    grpc_tls_server_authorization_check_arg* arg);
+
+/** A struct containing all information necessary to schedule/cancel a server
+   authorization check request. cb and cb_user_data represent a gRPC-provided
+   callback and an argument passed to it. result will store the result of
+   server authorization check. target_name is the name of an endpoint the
+   channel is connecting to and certificate represents a complete certificate
+   chain including both signing and leaf certificates. status and error_details
+   contain information about errors occurred when a server authorization check
+   request is scheduled/cancelled. It is used for experimental purpose for now
+   and subject to change.*/
+struct grpc_tls_server_authorization_check_arg {
+  grpc_tls_on_server_authorization_check_done_cb cb;
+  void* cb_user_data;
+  int result;
+  const char* target_name;
+  const char* peer_cert;
+  grpc_status_code status;
+  const char* error_details;
+};
+
+/** Create a grpc_tls_server_authorization_check_config instance.
+    - config_user_data is config-specific, read-only user data
+      that works for all channels created with a credential using the config.
+    - schedule is a pointer to an application-provided callback used to invoke
+      server authorization check API. The implementation of this method has to
+      be non-blocking, but can be performed synchronously or asynchronously.
+      1)If processing occurs synchronously, it populates arg->result,
+      arg->status, and arg->error_details and returns zero.
+      2) If processing occurs asynchronously, it returns a non-zero value. The
+      application then invokes arg->cb when processing is completed. Note that
+      arg->cb cannot be invoked before schedule API returns.
+    - cancel is a pointer to an application-provided callback used to cancel a
+      server authorization check request scheduled via an asynchronous schedule
+      API. arg is used to pinpoint an exact check request to be cancelled. The
+      operation may not have any effect if the request has already been
+      processed.
+    - destruct is a pointer to an application-provided callback used to clean up
+      any data associated with the config.
+    It is used for experimental purpose for now and subject to change.
+*/
+GRPCAPI grpc_tls_server_authorization_check_config*
+grpc_tls_server_authorization_check_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_server_authorization_check_arg* arg),
+    void (*cancel)(void* config_user_data,
+                   grpc_tls_server_authorization_check_arg* arg),
+    void (*destruct)(void* config_user_data));
+
 #ifdef __cplusplus
 }
 #endif

package.xml

@@ -229,6 +229,7 @@
     <file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.h" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.h" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots.h" role="src" />
@@ -670,6 +671,7 @@
     <file baseinstalldir="/" name="src/core/lib/security/credentials/oauth2/oauth2_credentials.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/plugin/plugin_credentials.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/credentials/ssl/ssl_credentials.cc" role="src" />
+    <file baseinstalldir="/" name="src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/alts/alts_security_connector.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/fake/fake_security_connector.cc" role="src" />
     <file baseinstalldir="/" name="src/core/lib/security/security_connector/load_system_roots_fallback.cc" role="src" />

src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -0,0 +1,192 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+/** -- gRPC TLS key materials config API implementation. -- **/
+void grpc_tls_key_materials_config::set_key_materials(
+    grpc_core::UniquePtr<char> pem_root_certs,
+    PemKeyCertPairList pem_key_cert_pair_list) {
+  pem_key_cert_pair_list_ = std::move(pem_key_cert_pair_list);
+  pem_root_certs_ = std::move(pem_root_certs);
+}
+
+/** -- gRPC TLS credential reload config API implementation. -- **/
+grpc_tls_credential_reload_config::grpc_tls_credential_reload_config(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_credential_reload_arg* arg),
+    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+    void (*destruct)(void* config_user_data))
+    : config_user_data_(const_cast<void*>(config_user_data)),
+      schedule_(schedule),
+      cancel_(cancel),
+      destruct_(destruct) {}
+
+grpc_tls_credential_reload_config::~grpc_tls_credential_reload_config() {
+  if (destruct_ != nullptr) {
+    destruct_((void*)config_user_data_);
+  }
+}
+
+/** -- gRPC TLS server authorization check API implementation. -- **/
+grpc_tls_server_authorization_check_config::
+    grpc_tls_server_authorization_check_config(
+        const void* config_user_data,
+        int (*schedule)(void* config_user_data,
+                        grpc_tls_server_authorization_check_arg* arg),
+        void (*cancel)(void* config_user_data,
+                       grpc_tls_server_authorization_check_arg* arg),
+        void (*destruct)(void* config_user_data))
+    : config_user_data_(const_cast<void*>(config_user_data)),
+      schedule_(schedule),
+      cancel_(cancel),
+      destruct_(destruct) {}
+
+grpc_tls_server_authorization_check_config::
+    ~grpc_tls_server_authorization_check_config() {
+  if (destruct_ != nullptr) {
+    destruct_((void*)config_user_data_);
+  }
+}
+
+/** -- Wrapper APIs declared in grpc_security.h -- **/
+grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
+  return grpc_core::New<grpc_tls_credentials_options>();
+}
+
+int grpc_tls_credentials_options_set_cert_request_type(
+    grpc_tls_credentials_options* options,
+    grpc_ssl_client_certificate_request_type type) {
+  if (options == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_cert_request_type()");
+    return 0;
+  }
+  options->set_cert_request_type(type);
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_key_materials_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_key_materials_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_key_materials_config()");
+    return 0;
+  }
+  options->set_key_materials_config(config->Ref());
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_credential_reload_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_credential_reload_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Invalid nullptr arguments to "
+            "grpc_tls_credentials_options_set_credential_reload_config()");
+    return 0;
+  }
+  options->set_credential_reload_config(config->Ref());
+  return 1;
+}
+
+int grpc_tls_credentials_options_set_server_authorization_check_config(
+    grpc_tls_credentials_options* options,
+    grpc_tls_server_authorization_check_config* config) {
+  if (options == nullptr || config == nullptr) {
+    gpr_log(
+        GPR_ERROR,
+        "Invalid nullptr arguments to "
+        "grpc_tls_credentials_options_set_server_authorization_check_config()");
+    return 0;
+  }
+  options->set_server_authorization_check_config(config->Ref());
+  return 1;
+}
+
+grpc_tls_key_materials_config* grpc_tls_key_materials_config_create() {
+  return grpc_core::New<grpc_tls_key_materials_config>();
+}
+
+int grpc_tls_key_materials_config_set_key_materials(
+    grpc_tls_key_materials_config* config, const char* root_certs,
+    const grpc_ssl_pem_key_cert_pair** key_cert_pairs, size_t num) {
+  if (config == nullptr || key_cert_pairs == nullptr || num == 0) {
+    gpr_log(GPR_ERROR,
+            "Invalid arguments to "
+            "grpc_tls_key_materials_config_set_key_materials()");
+    return 0;
+  }
+  grpc_core::UniquePtr<char> pem_root(const_cast<char*>(root_certs));
+  grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list;
+  for (size_t i = 0; i < num; i++) {
+    grpc_core::PemKeyCertPair key_cert_pair(
+        const_cast<grpc_ssl_pem_key_cert_pair*>(key_cert_pairs[i]));
+    cert_pair_list.emplace_back(std::move(key_cert_pair));
+  }
+  config->set_key_materials(std::move(pem_root), std::move(cert_pair_list));
+  gpr_free(key_cert_pairs);
+  return 1;
+}
+
+grpc_tls_credential_reload_config* grpc_tls_credential_reload_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_credential_reload_arg* arg),
+    void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg),
+    void (*destruct)(void* config_user_data)) {
+  if (schedule == nullptr) {
+    gpr_log(
+        GPR_ERROR,
+        "Schedule API is nullptr in creating TLS credential reload config.");
+    return nullptr;
+  }
+  return grpc_core::New<grpc_tls_credential_reload_config>(
+      config_user_data, schedule, cancel, destruct);
+}
+
+grpc_tls_server_authorization_check_config*
+grpc_tls_server_authorization_check_config_create(
+    const void* config_user_data,
+    int (*schedule)(void* config_user_data,
+                    grpc_tls_server_authorization_check_arg* arg),
+    void (*cancel)(void* config_user_data,
+                   grpc_tls_server_authorization_check_arg* arg),
+    void (*destruct)(void* config_user_data)) {
+  if (schedule == nullptr) {
+    gpr_log(GPR_ERROR,
+            "Schedule API is nullptr in creating TLS server authorization "
+            "check config.");
+    return nullptr;
+  }
+  return grpc_core::New<grpc_tls_server_authorization_check_config>(
+      config_user_data, schedule, cancel, destruct);
+}

src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -0,0 +1,213 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/gprpp/inlined_vector.h"
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+
+/** TLS key materials config. **/
+struct grpc_tls_key_materials_config
+    : public grpc_core::RefCounted<grpc_tls_key_materials_config> {
+ public:
+  typedef grpc_core::InlinedVector<grpc_core::PemKeyCertPair, 1>
+      PemKeyCertPairList;
+
+  /** Getters for member fields. **/
+  const char* pem_root_certs() const { return pem_root_certs_.get(); }
+  const PemKeyCertPairList& pem_key_cert_pair_list() const {
+    return pem_key_cert_pair_list_;
+  }
+
+  /** Setters for member fields. **/
+  void set_key_materials(grpc_core::UniquePtr<char> pem_root_certs,
+                         PemKeyCertPairList pem_key_cert_pair_list);
+
+ private:
+  PemKeyCertPairList pem_key_cert_pair_list_;
+  grpc_core::UniquePtr<char> pem_root_certs_;
+};
+
+/** TLS credential reload config. **/
+struct grpc_tls_credential_reload_config
+    : public grpc_core::RefCounted<grpc_tls_credential_reload_config> {
+ public:
+  grpc_tls_credential_reload_config(
+      const void* config_user_data,
+      int (*schedule)(void* config_user_data,
+                      grpc_tls_credential_reload_arg* arg),
+      void (*cancel)(void* config_user_data,
+                     grpc_tls_credential_reload_arg* arg),
+      void (*destruct)(void* config_user_data));
+  ~grpc_tls_credential_reload_config();
+
+  int Schedule(grpc_tls_credential_reload_arg* arg) const {
+    return schedule_(config_user_data_, arg);
+  }
+  void Cancel(grpc_tls_credential_reload_arg* arg) const {
+    if (cancel_ == nullptr) {
+      gpr_log(GPR_ERROR, "cancel API is nullptr.");
+      return;
+    }
+    cancel_(config_user_data_, arg);
+  }
+
+ private:
+  /** config-specific, read-only user data that works for all channels created
+     with a credential using the config. */
+  void* config_user_data_;
+  /** callback function for invoking credential reload API. The implementation
+     of this method has to be non-blocking, but can be performed synchronously
+     or asynchronously.
+     If processing occurs synchronously, it populates \a arg->key_materials, \a
+     arg->status, and \a arg->error_details and returns zero.
+     If processing occurs asynchronously, it returns a non-zero value.
+     Application then invokes \a arg->cb when processing is completed. Note that
+     \a arg->cb cannot be invoked before \a schedule returns.
+  */
+  int (*schedule_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+  /** callback function for cancelling a credential reload request scheduled via
+     an asynchronous \a schedule. \a arg is used to pinpoint an exact reloading
+     request to be cancelled, and the operation may not have any effect if the
+     request has already been processed. */
+  void (*cancel_)(void* config_user_data, grpc_tls_credential_reload_arg* arg);
+  /** callback function for cleaning up any data associated with credential
+     reload config. */
+  void (*destruct_)(void* config_user_data);
+};
+
+/** TLS server authorization check config. **/
+struct grpc_tls_server_authorization_check_config
+    : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
+ public:
+  grpc_tls_server_authorization_check_config(
+      const void* config_user_data,
+      int (*schedule)(void* config_user_data,
+                      grpc_tls_server_authorization_check_arg* arg),
+      void (*cancel)(void* config_user_data,
+                     grpc_tls_server_authorization_check_arg* arg),
+      void (*destruct)(void* config_user_data));
+  ~grpc_tls_server_authorization_check_config();
+
+  int Schedule(grpc_tls_server_authorization_check_arg* arg) const {
+    return schedule_(config_user_data_, arg);
+  }
+  void Cancel(grpc_tls_server_authorization_check_arg* arg) const {
+    if (cancel_ == nullptr) {
+      gpr_log(GPR_ERROR, "cancel API is nullptr.");
+      return;
+    }
+    cancel_(config_user_data_, arg);
+  }
+
+ private:
+  /** config-specific, read-only user data that works for all channels created
+     with a Credential using the config. */
+  void* config_user_data_;
+
+  /** callback function for invoking server authorization check. The
+     implementation of this method has to be non-blocking, but can be performed
+     synchronously or asynchronously.
+     If processing occurs synchronously, it populates \a arg->result, \a
+     arg->status, and \a arg->error_details, and returns zero.
+     If processing occurs asynchronously, it returns a non-zero value.
+     Application then invokes \a arg->cb when processing is completed. Note that
+     \a arg->cb cannot be invoked before \a schedule() returns.
+  */
+  int (*schedule_)(void* config_user_data,
+                   grpc_tls_server_authorization_check_arg* arg);
+
+  /** callback function for canceling a server authorization check request. */
+  void (*cancel_)(void* config_user_data,
+                  grpc_tls_server_authorization_check_arg* arg);
+
+  /** callback function for cleaning up any data associated with server
+     authorization check config. */
+  void (*destruct_)(void* config_user_data);
+};
+
+/* TLS credentials options. */
+struct grpc_tls_credentials_options
+    : public grpc_core::RefCounted<grpc_tls_credentials_options> {
+ public:
+  ~grpc_tls_credentials_options() {
+    if (key_materials_config_.get() != nullptr) {
+      key_materials_config_.get()->Unref();
+    }
+    if (credential_reload_config_.get() != nullptr) {
+      credential_reload_config_.get()->Unref();
+    }
+    if (server_authorization_check_config_.get() != nullptr) {
+      server_authorization_check_config_.get()->Unref();
+    }
+  }
+
+  /* Getters for member fields. */
+  grpc_ssl_client_certificate_request_type cert_request_type() const {
+    return cert_request_type_;
+  }
+  const grpc_tls_key_materials_config* key_materials_config() const {
+    return key_materials_config_.get();
+  }
+  const grpc_tls_credential_reload_config* credential_reload_config() const {
+    return credential_reload_config_.get();
+  }
+  const grpc_tls_server_authorization_check_config*
+  server_authorization_check_config() const {
+    return server_authorization_check_config_.get();
+  }
+  grpc_tls_key_materials_config* mutable_key_materials_config() {
+    return key_materials_config_.get();
+  }
+
+  /* Setters for member fields. */
+  void set_cert_request_type(
+      const grpc_ssl_client_certificate_request_type type) {
+    cert_request_type_ = type;
+  }
+  void set_key_materials_config(
+      grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
+    key_materials_config_ = std::move(config);
+  }
+  void set_credential_reload_config(
+      grpc_core::RefCountedPtr<grpc_tls_credential_reload_config> config) {
+    credential_reload_config_ = std::move(config);
+  }
+  void set_server_authorization_check_config(
+      grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+          config) {
+    server_authorization_check_config_ = std::move(config);
+  }
+
+ private:
+  grpc_ssl_client_certificate_request_type cert_request_type_;
+  grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
+  grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
+      credential_reload_config_;
+  grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
+      server_authorization_check_config_;
+};
+
+#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H \
+        */

src/core/lib/security/security_connector/ssl_utils.h

@@ -89,6 +89,39 @@ class DefaultSslRootStore {
   static grpc_slice default_pem_root_certs_;
 };
 
+class PemKeyCertPair {
+ public:
+  // Construct from the C struct.  We steal its members and then immediately
+  // free it.
+  explicit PemKeyCertPair(grpc_ssl_pem_key_cert_pair* pair)
+      : private_key_(const_cast<char*>(pair->private_key)),
+        cert_chain_(const_cast<char*>(pair->cert_chain)) {
+    gpr_free(pair);
+  }
+
+  // Movable.
+  PemKeyCertPair(PemKeyCertPair&& other) {
+    private_key_ = std::move(other.private_key_);
+    cert_chain_ = std::move(other.cert_chain_);
+  }
+  PemKeyCertPair& operator=(PemKeyCertPair&& other) {
+    private_key_ = std::move(other.private_key_);
+    cert_chain_ = std::move(other.cert_chain_);
+    return *this;
+  }
+
+  // Not copyable.
+  PemKeyCertPair(const PemKeyCertPair&) = delete;
+  PemKeyCertPair& operator=(const PemKeyCertPair&) = delete;
+
+  char* private_key() const { return private_key_.get(); }
+  char* cert_chain() const { return cert_chain_.get(); }
+
+ private:
+  grpc_core::UniquePtr<char> private_key_;
+  grpc_core::UniquePtr<char> cert_chain_;
+};
+
 }  // namespace grpc_core
 
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_UTILS_H \

src/python/grpcio/grpc_core_dependencies.py

@@ -257,6 +257,7 @@ CORE_SOURCE_FILES = [
     'src/core/lib/security/credentials/oauth2/oauth2_credentials.cc',
     'src/core/lib/security/credentials/plugin/plugin_credentials.cc',
     'src/core/lib/security/credentials/ssl/ssl_credentials.cc',
+    'src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc',
     'src/core/lib/security/security_connector/alts/alts_security_connector.cc',
     'src/core/lib/security/security_connector/fake/fake_security_connector.cc',
     'src/core/lib/security/security_connector/load_system_roots_fallback.cc',

src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -154,6 +154,15 @@ grpc_alts_credentials_create_type grpc_alts_credentials_create_import;
 grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_import;
 grpc_local_credentials_create_type grpc_local_credentials_create_import;
 grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
+grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
+grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
+grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
+grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
+grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
+grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
+grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
 grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
 grpc_raw_compressed_byte_buffer_create_type grpc_raw_compressed_byte_buffer_create_import;
 grpc_byte_buffer_copy_type grpc_byte_buffer_copy_import;
@@ -412,6 +421,15 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_alts_server_credentials_create_import = (grpc_alts_server_credentials_create_type) GetProcAddress(library, "grpc_alts_server_credentials_create");
   grpc_local_credentials_create_import = (grpc_local_credentials_create_type) GetProcAddress(library, "grpc_local_credentials_create");
   grpc_local_server_credentials_create_import = (grpc_local_server_credentials_create_type) GetProcAddress(library, "grpc_local_server_credentials_create");
+  grpc_tls_credentials_options_create_import = (grpc_tls_credentials_options_create_type) GetProcAddress(library, "grpc_tls_credentials_options_create");
+  grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
+  grpc_tls_credentials_options_set_key_materials_config_import = (grpc_tls_credentials_options_set_key_materials_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_key_materials_config");
+  grpc_tls_credentials_options_set_credential_reload_config_import = (grpc_tls_credentials_options_set_credential_reload_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_credential_reload_config");
+  grpc_tls_credentials_options_set_server_authorization_check_config_import = (grpc_tls_credentials_options_set_server_authorization_check_config_type) GetProcAddress(library, "grpc_tls_credentials_options_set_server_authorization_check_config");
+  grpc_tls_key_materials_config_create_import = (grpc_tls_key_materials_config_create_type) GetProcAddress(library, "grpc_tls_key_materials_config_create");
+  grpc_tls_key_materials_config_set_key_materials_import = (grpc_tls_key_materials_config_set_key_materials_type) GetProcAddress(library, "grpc_tls_key_materials_config_set_key_materials");
+  grpc_tls_credential_reload_config_create_import = (grpc_tls_credential_reload_config_create_type) GetProcAddress(library, "grpc_tls_credential_reload_config_create");
+  grpc_tls_server_authorization_check_config_create_import = (grpc_tls_server_authorization_check_config_create_type) GetProcAddress(library, "grpc_tls_server_authorization_check_config_create");
   grpc_raw_byte_buffer_create_import = (grpc_raw_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_byte_buffer_create");
   grpc_raw_compressed_byte_buffer_create_import = (grpc_raw_compressed_byte_buffer_create_type) GetProcAddress(library, "grpc_raw_compressed_byte_buffer_create");
   grpc_byte_buffer_copy_import = (grpc_byte_buffer_copy_type) GetProcAddress(library, "grpc_byte_buffer_copy");

src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -437,6 +437,33 @@ extern grpc_local_credentials_create_type grpc_local_credentials_create_import;
 typedef grpc_server_credentials*(*grpc_local_server_credentials_create_type)(grpc_local_connect_type type);
 extern grpc_local_server_credentials_create_type grpc_local_server_credentials_create_import;
 #define grpc_local_server_credentials_create grpc_local_server_credentials_create_import
+typedef grpc_tls_credentials_options*(*grpc_tls_credentials_options_create_type)();
+extern grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
+#define grpc_tls_credentials_options_create grpc_tls_credentials_options_create_import
+typedef int(*grpc_tls_credentials_options_set_cert_request_type_type)(grpc_tls_credentials_options* options, grpc_ssl_client_certificate_request_type type);
+extern grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
+#define grpc_tls_credentials_options_set_cert_request_type grpc_tls_credentials_options_set_cert_request_type_import
+typedef int(*grpc_tls_credentials_options_set_key_materials_config_type)(grpc_tls_credentials_options* options, grpc_tls_key_materials_config* config);
+extern grpc_tls_credentials_options_set_key_materials_config_type grpc_tls_credentials_options_set_key_materials_config_import;
+#define grpc_tls_credentials_options_set_key_materials_config grpc_tls_credentials_options_set_key_materials_config_import
+typedef int(*grpc_tls_credentials_options_set_credential_reload_config_type)(grpc_tls_credentials_options* options, grpc_tls_credential_reload_config* config);
+extern grpc_tls_credentials_options_set_credential_reload_config_type grpc_tls_credentials_options_set_credential_reload_config_import;
+#define grpc_tls_credentials_options_set_credential_reload_config grpc_tls_credentials_options_set_credential_reload_config_import
+typedef int(*grpc_tls_credentials_options_set_server_authorization_check_config_type)(grpc_tls_credentials_options* options, grpc_tls_server_authorization_check_config* config);
+extern grpc_tls_credentials_options_set_server_authorization_check_config_type grpc_tls_credentials_options_set_server_authorization_check_config_import;
+#define grpc_tls_credentials_options_set_server_authorization_check_config grpc_tls_credentials_options_set_server_authorization_check_config_import
+typedef grpc_tls_key_materials_config*(*grpc_tls_key_materials_config_create_type)();
+extern grpc_tls_key_materials_config_create_type grpc_tls_key_materials_config_create_import;
+#define grpc_tls_key_materials_config_create grpc_tls_key_materials_config_create_import
+typedef int(*grpc_tls_key_materials_config_set_key_materials_type)(grpc_tls_key_materials_config* config, const char* pem_root_certs, const grpc_ssl_pem_key_cert_pair** pem_key_cert_pairs, size_t num_key_cert_pairs);
+extern grpc_tls_key_materials_config_set_key_materials_type grpc_tls_key_materials_config_set_key_materials_import;
+#define grpc_tls_key_materials_config_set_key_materials grpc_tls_key_materials_config_set_key_materials_import
+typedef grpc_tls_credential_reload_config*(*grpc_tls_credential_reload_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_credential_reload_arg* arg), void (*destruct)(void* config_user_data));
+extern grpc_tls_credential_reload_config_create_type grpc_tls_credential_reload_config_create_import;
+#define grpc_tls_credential_reload_config_create grpc_tls_credential_reload_config_create_import
+typedef grpc_tls_server_authorization_check_config*(*grpc_tls_server_authorization_check_config_create_type)(const void* config_user_data, int (*schedule)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*cancel)(void* config_user_data, grpc_tls_server_authorization_check_arg* arg), void (*destruct)(void* config_user_data));
+extern grpc_tls_server_authorization_check_config_create_type grpc_tls_server_authorization_check_config_create_import;
+#define grpc_tls_server_authorization_check_config_create grpc_tls_server_authorization_check_config_create_import
 typedef grpc_byte_buffer*(*grpc_raw_byte_buffer_create_type)(grpc_slice* slices, size_t nslices);
 extern grpc_raw_byte_buffer_create_type grpc_raw_byte_buffer_create_import;
 #define grpc_raw_byte_buffer_create grpc_raw_byte_buffer_create_import

test/core/surface/public_headers_must_be_c89.c

@@ -191,6 +191,15 @@ int main(int argc, char **argv) {
   printf("%lx", (unsigned long) grpc_alts_server_credentials_create);
   printf("%lx", (unsigned long) grpc_local_credentials_create);
   printf("%lx", (unsigned long) grpc_local_server_credentials_create);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_create);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_cert_request_type);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_key_materials_config);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_credential_reload_config);
+  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_server_authorization_check_config);
+  printf("%lx", (unsigned long) grpc_tls_key_materials_config_create);
+  printf("%lx", (unsigned long) grpc_tls_key_materials_config_set_key_materials);
+  printf("%lx", (unsigned long) grpc_tls_credential_reload_config_create);
+  printf("%lx", (unsigned long) grpc_tls_server_authorization_check_config_create);
   printf("%lx", (unsigned long) grpc_raw_byte_buffer_create);
   printf("%lx", (unsigned long) grpc_raw_compressed_byte_buffer_create);
   printf("%lx", (unsigned long) grpc_byte_buffer_copy);

tools/doxygen/Doxyfile.core.internal

@@ -1384,6 +1384,8 @@ src/core/lib/security/credentials/plugin/plugin_credentials.cc \
 src/core/lib/security/credentials/plugin/plugin_credentials.h \
 src/core/lib/security/credentials/ssl/ssl_credentials.cc \
 src/core/lib/security/credentials/ssl/ssl_credentials.h \
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
+src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h \
 src/core/lib/security/security_connector/alts/alts_security_connector.cc \
 src/core/lib/security/security_connector/alts/alts_security_connector.h \
 src/core/lib/security/security_connector/fake/fake_security_connector.cc \

tools/run_tests/generated/sources_and_headers.json

@@ -10381,6 +10381,7 @@
       "src/core/lib/security/credentials/oauth2/oauth2_credentials.h", 
       "src/core/lib/security/credentials/plugin/plugin_credentials.h", 
       "src/core/lib/security/credentials/ssl/ssl_credentials.h", 
+      "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h", 
       "src/core/lib/security/security_connector/alts/alts_security_connector.h", 
       "src/core/lib/security/security_connector/fake/fake_security_connector.h", 
       "src/core/lib/security/security_connector/load_system_roots.h", 
@@ -10434,6 +10435,8 @@
       "src/core/lib/security/credentials/plugin/plugin_credentials.h", 
       "src/core/lib/security/credentials/ssl/ssl_credentials.cc", 
       "src/core/lib/security/credentials/ssl/ssl_credentials.h", 
+      "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc", 
+      "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h", 
       "src/core/lib/security/security_connector/alts/alts_security_connector.cc", 
       "src/core/lib/security/security_connector/alts/alts_security_connector.h", 
       "src/core/lib/security/security_connector/fake/fake_security_connector.cc",